What is Zerocoin?

Zerocoin is a project to fix a major weakness in Bitcoin: the lack of privacy guarantees we take for granted in using credit cards and cash. Our goal is to build a cryptocurrency where your neighbors, friends and enemies can’t see what you bought or for how much.

This project began with a proposed extension, called “Zerocoin”, to the Bitcoin protocol that allowed users to mix their own coin. A collaboration between the the original Zerocoin project members and cryptographers at MIT, The Technion, and Tel Aviv University, has produced a far more efficient protocol that allows for direct private payments to otherusers of hidden value. For disambiguation, we refer to this new protocol as Zerocash, and detail its technical underpinnings here.

The problem: Bitcoin is not private

The Bitcoin payment network offers a highly decentralized mechanism for creating and transferring electronic cash around the world. Unfortunately, Bitcoin suffers from a major limitation: since transactions are stored in a public ledger (called the “block chain”) it may be possible to trace the history of any given payment — even years after the fact. Worse, since the Bitcoin ledger is public, any party can recover this information and data mine to identify users and patterns in the transactions. In other words: Bitcoin transactions are conducted in public.

The Bitcoin protocol and clients address this in two ways: (1) all Bitcoin transactions are conducted using public keys as identifiers, and these public keys are not linked to individual names. And (2) Bitcoin clients are capable of generating many public keys (“identities”) to help users resist tracking. Unfortunately, a growing body of research indicates that these protections are insufficient. This information may allow data miners to link individual transactions, identify related payments, and otherwise trace the activities of Bitcoin users.

The most common solution to this problem is to use Bitcoin laundries – services that mix together many users’ bitcoins in order to obfuscate the transaction history. Laundries suffer from a number of potential drawbacks, however, as they must be trusted to return coins. Moreover a compromised or malicious laundry offers no anonymity.

What makes Zerocoin and the new Zerocash protocol different from previous approaches:

  • Zerocoin and the Zerocash protocol operates in the Bitcoin network and is implemented as a series of extensions to the existing Bitcoin protocol. This approach means that Zerocoin can be deployed without relying on a central coin issuer or bank (as used in previous e-cash schemes). Moreover, since no single trusted party operates the Zerocoin system, attacks on Zerocoin must take on a substantial fraction of the Bitcoin network.

  • The Zerocash protocol uses provably secure cryptographic techniques to ensure that Bitcoins cannot be traced. These techniques allow users to conduct transactions on the Bitcoin network while receiving strong mathematical guarantees that the transactions cannot be traced. These guarantees remain in place even if a portion of the Bitcoin network is compromised by an attacker.

  • Other anonymous cash systems rely on distributing the work of anonymizing users amongst a set of parties. This approach works well if all parties are fully available but can be subject to “denial of service” attacks where a small number of nodes are taken offline. Because Zerocoin is built on top of Bitcoin, it is widely distributed among all the Bitcoin peers, ensuring that the system can remain available even when many nodes are compromised.

  • With the new Zerocash protocol, unlike the old Zerocoin protocol, users can make direct payments to each other with a vastly more efficient cryptographic protocol that also hides the amount of the payment, not just its origin.

How Zerocoin works

With the new Zerocash protocol, Zerocoin allows direct anonymous payments between parties. Zerocoin transactions exist alongside the (non-anonymous) Bitcoin currency. Each user can convert (non-anonymous) bitcoins into (anonymous) coins, which we call zerocoins. Users can then send zerocoins to other users, and split or merge zerocoins they own in any way that preserves the total value. Users can also convert zerocoins back into bitcoins, though in principle this is not necessary: all transactions can be made in terms of zerocoins.

For a more detailed explanation of the new Zerocash protocol see the website for Zerocash protocol.

The road ahead

The plan is to make an altcoin, powered by the new Zerocash Protocol, that provides consumers with the financial privacy they expect from debit cards, credit cards, and cash. To do this, we plan on release a working, non research code quality client based off the bitcoin 0.9.1 codebase integrating the new Zerocash protocol.